Viktor Trojanovic
2017-Jun-19  00:24 UTC
[Samba] New AD user cannot access file share from member server
I run a very small Samba AD, consisting of a Samba AD DC and a Samba AD Member Server, acting as file server. Today, I added a new user to the AD but I simply can't manage to get access to the file server - only for this user, all others are working fine. My AD is rfc2307 based, so I manually have to add UID's. I did so for the new user, the ID is within range and not in use. I double checked and compared all other attributes with those of an existing user, no difference, all matches. As it's working from the other user profiles, it can be deducted that there is no network issue. But I did check DNS, just to be safe. Running wbinfo -U and getent passwd show the correct information, the new user is there. Using kinit I can request a Kerberos ticket for him. I'm not sure if it matters but if I run wbinfo -U on the DC, it will put the realm in front of the username, i.e. SAMDOM\user. On the member server, the realm is not shown. Running smbclient -L \\MEMBERSERVER -Unewuser -N on the member server works fine. But if I run the same command without the -N switch, I get session setup failed: NT_STATUS_ACCESS_DENIED I really don't know where else to look. I rebooted the two servers, updated Samba to its latest version (4.6.5), ran sysvolreset.. all to no avail. Probably I'm missing some step here. Hope someone can help me see it. /etc/samba/smb.conf [global] netbios name = MEMBERSERVER workgroup = SAMDOM security = ADS realm = SAMDOM.EXAMPLE.COM dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab username map = /etc/samba/samba_usermap idmap config *:backend = tdb idmap config *:range = 2000-9999 idmap config MEILEN:backend = ad idmap config MEILEN:schema_mode = rfc2307 idmap config MEILEN:range = 10000-99999 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = Yes vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes
Rowland Penny
2017-Jun-19  06:19 UTC
[Samba] New AD user cannot access file share from member server
On Mon, 19 Jun 2017 02:24:50 +0200 Viktor Trojanovic via samba <samba at lists.samba.org> wrote:> I run a very small Samba AD, consisting of a Samba AD DC and a Samba > AD Member Server, acting as file server. > > Today, I added a new user to the AD but I simply can't manage to get > access to the file server - only for this user, all others are > working fine. > > My AD is rfc2307 based, so I manually have to add UID's. I did so for > the new user, the ID is within range and not in use. I double checked > and compared all other attributes with those of an existing user, no > difference, all matches. > > As it's working from the other user profiles, it can be deducted that > there is no network issue. But I did check DNS, just to be safe. > > Running wbinfo -U and getent passwd show the correct information, the > new user is there. Using kinit I can request a Kerberos ticket for > him. > > I'm not sure if it matters but if I run wbinfo -U on the DC, it will > put the realm in front of the username, i.e. SAMDOM\user. On the > member server, the realm is not shown. > > Running smbclient -L \\MEMBERSERVER -Unewuser -N on the member server > works fine. But if I run the same command without the -N switch, I get > > session setup failed: NT_STATUS_ACCESS_DENIED > > I really don't know where else to look. I rebooted the two servers, > updated Samba to its latest version (4.6.5), ran sysvolreset.. all to > no avail. > > Probably I'm missing some step here. Hope someone can help me see it. > > /etc/samba/smb.conf > > [global] > > netbios name = MEMBERSERVER > workgroup = SAMDOM > security = ADS > realm = SAMDOM.EXAMPLE.COM > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > username map = /etc/samba/samba_usermap > > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > idmap config MEILEN:backend = ad > idmap config MEILEN:schema_mode = rfc2307 > idmap config MEILEN:range = 10000-99999 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = Yes > > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = YesOK, it should work, I can see just one problem now that you are using 4.6.5, 'winbind nss info = rfc2307' has been replaced by 'idmap config SAMDOM : unix_nss_info = yes' Try this and report back. Rowland
Viktor Trojanovic
2017-Jun-19  09:15 UTC
[Samba] New AD user cannot access file share from member server
Thanks for the quick reply, Rowland. I changed the respective line in my member server's smb.conf, and restarted smbd, winbindd, and nmbd. The issue persists. I can access the share with all users except this one. On 19 June 2017 at 08:19, Rowland Penny via samba <samba at lists.samba.org> wrote:> On Mon, 19 Jun 2017 02:24:50 +0200 > Viktor Trojanovic via samba <samba at lists.samba.org> wrote: > > > I run a very small Samba AD, consisting of a Samba AD DC and a Samba > > AD Member Server, acting as file server. > > > > Today, I added a new user to the AD but I simply can't manage to get > > access to the file server - only for this user, all others are > > working fine. > > > > My AD is rfc2307 based, so I manually have to add UID's. I did so for > > the new user, the ID is within range and not in use. I double checked > > and compared all other attributes with those of an existing user, no > > difference, all matches. > > > > As it's working from the other user profiles, it can be deducted that > > there is no network issue. But I did check DNS, just to be safe. > > > > Running wbinfo -U and getent passwd show the correct information, the > > new user is there. Using kinit I can request a Kerberos ticket for > > him. > > > > I'm not sure if it matters but if I run wbinfo -U on the DC, it will > > put the realm in front of the username, i.e. SAMDOM\user. On the > > member server, the realm is not shown. > > > > Running smbclient -L \\MEMBERSERVER -Unewuser -N on the member server > > works fine. But if I run the same command without the -N switch, I get > > > > session setup failed: NT_STATUS_ACCESS_DENIED > > > > I really don't know where else to look. I rebooted the two servers, > > updated Samba to its latest version (4.6.5), ran sysvolreset.. all to > > no avail. > > > > Probably I'm missing some step here. Hope someone can help me see it. > > > > /etc/samba/smb.conf > > > > [global] > > > > netbios name = MEMBERSERVER > > workgroup = SAMDOM > > security = ADS > > realm = SAMDOM.EXAMPLE.COM > > dedicated keytab file = /etc/krb5.keytab > > kerberos method = secrets and keytab > > > > username map = /etc/samba/samba_usermap > > > > idmap config *:backend = tdb > > idmap config *:range = 2000-9999 > > idmap config MEILEN:backend = ad > > idmap config MEILEN:schema_mode = rfc2307 > > idmap config MEILEN:range = 10000-99999 > > > > winbind nss info = rfc2307 > > winbind trusted domains only = no > > winbind use default domain = yes > > winbind enum users = yes > > winbind enum groups = yes > > winbind refresh tickets = Yes > > > > vfs objects = acl_xattr > > map acl inherit = Yes > > store dos attributes = Yes > > OK, it should work, I can see just one problem now that you are > using 4.6.5, 'winbind nss info = rfc2307' has been replaced by 'idmap > config SAMDOM : unix_nss_info = yes' > > Try this and report back. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Viktor Trojanovic
2017-Jun-19  10:38 UTC
[Samba] New AD user cannot access file share from member server
Here is the DC's smb.conf:
[global]
        workgroup = SAMDOM
        realm = SAMDOM.EXAMPLE.COM
        netbios name = DC
        interfaces = lo br-lxc
        bind interfaces only = Yes
        server role = active directory domain controller
        dns forwarder = 192.168.1.2
        idmap_ldb:use rfc2307 = yes
[netlogon]
        path = /var/lib/samba/sysvol/samdom.example.com/scripts
        read only = No
[sysvol]
        path = /var/lib/samba/sysvol
        read only = No
I'm not sure what you mean by showing you the user's AD object, can you
elaborate?
Samba is running on (Arch) Linux with Kernel 4.11. Clients are Windows 10
with all the latest updates, I'm running the RSAT from there.
On 19 June 2017 at 11:25, Rowland Penny <rpenny at samba.org> wrote:
> On Mon, 19 Jun 2017 11:15:02 +0200
> Viktor Trojanovic <viktor at troja.ch> wrote:
>
> > Thanks for the quick reply, Rowland.
> >
> > I changed the respective line in my member server's smb.conf, and
> > restarted smbd, winbindd, and nmbd.
> >
> > The issue persists. I can access the share with all users except this
> > one.
> >
>
> OK, can you post the smb.conf from the DC and the users AD object.
>
> Also what OS is this ?
>
> Rowland
>
Rowland Penny
2017-Jun-19  10:59 UTC
[Samba] New AD user cannot access file share from member server
On Mon, 19 Jun 2017 12:38:09 +0200 Viktor Trojanovic <viktor at troja.ch> wrote:> Here is the DC's smb.conf: > > > [global] > workgroup = SAMDOM > realm = SAMDOM.EXAMPLE.COM > netbios name = DC > interfaces = lo br-lxc > bind interfaces only = Yes > server role = active directory domain controller > dns forwarder = 192.168.1.2 > idmap_ldb:use rfc2307 = yes > > [netlogon] > path = /var/lib/samba/sysvol/samdom.example.com/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = NoNothing wrong there> > I'm not sure what you mean by showing you the user's AD object, can > you elaborate?OK, install ldb-tools if not installed, then run this: ldbsearch -H /usr/local/samba/private/sam.ldb -b 'cn=users,dc=samdom,dc=example,dc=com' -s sub "(&(objectclass=person)(samaccountname=rowland))" Just in case it has got split up over multiple lines, the above should just one line. Replace: /usr/local/samba/private/sam.ldb with the path to your sam.ldb dc=samdom,dc=example,dc=com with your dns/realm names rowland with your users name You should get something like this back: # record 1 dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com CN: Rowland Penny sn: Penny description: A Unix user givenName: Rowland instanceType: 4 whenCreated: 20151109093821.0Z displayName: Rowland Penny uSNCreated: 3365 name: Rowland Penny objectGUID: 28103293-9fc9-4681-b19c-ae1150fe2b72 userAccountControl: 66048 codePage: 0 countryCode: 0 homeDrive: H: pwdLastSet: 130915355010000000 primaryGroupID: 513 objectSid: S-1-5-21-1768301897-3342589593-1064908849-1107 accountExpires: 0 sAMAccountName: rowland sAMAccountType: 805306368 userPrincipalName: rowland at samdom.example.com objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=c om unixUserPassword: ABCD!efgh12345$67890 uid: rowland msSFU30Name: rowland msSFU30NisDomain: samdom uidNumber: 10000 gecos: Rowland Penny unixHomeDirectory: /home/rowland loginShell: /bin/bash memberOf: CN=DnsAdmins,CN=Users,DC=samdom,DC=example,DC=com memberOf: CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com memberOf: CN=TestGroup,CN=Users,DC=samdom,DC=example,DC=com memberOf: CN=Unix Admins,CN=Users,DC=samdom,DC=example,DC=com memberOf: CN=Group12,CN=Users,DC=samdom,DC=example,DC=com homeDirectory: \\MEMBER1\home\rowland objectClass: top objectClass: securityPrincipal objectClass: person objectClass: organizationalPerson objectClass: user gidNumber: 10000 lastLogonTimestamp: 131418520439158520 whenChanged: 20170613182723.0Z uSNChanged: 121030 lastLogon: 131423412865104840 logonCount: 633 distinguishedName: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com # returned 1 records # 1 entries # 0 referrals Please post that, though you can sanitise it if you like, but if you do, use the same changes through out.> > Samba is running on (Arch) Linux with Kernel 4.11. Clients are > Windows 10 with all the latest updates, I'm running the RSAT from > there. >In which case you will not have 'Unix Attributes' tab in ADUC. Rowland
Possibly Parallel Threads
- New AD user cannot access file share from member server
- New AD user cannot access file share from member server
- New AD user cannot access file share from member server
- New AD user cannot access file share from member server
- New AD user cannot access file share from member server